Skip to main content

The HackerOne Success Index - Reward Competitiveness

  • January 6th , 2016

In case you missed them, check out the Overview and Vulnerabilities Fixed installments of our blogpost series on the HackerOne Success Index.

There are clear bounty patterns within HackerOne-powered programs, and this third post in our blog series on the HackerOne Success Index (HSI) digs into data across hundreds of customers and nearly 15,000 rewards. A program's average bounty is the highest weighted factor in the Reward Competitiveness dimension, followed by equal weighting for the overall number of rewards, the bounty range, and the maximum award. While success in vulnerability disclosure does not require paying bounties, strong patterns have emerged from those programs that do offer monetary awards.

Average Rewards

Average Rewards

The graph above shows a 90-day moving average of the mean reward amount on HackerOne over the last twelve months for both top performers in this dimension and the platform average. The platform average hovers just below $500 with a slight upward trend, while the top performers started below $750 but are nearing a $1,000 average with a clear increasing trend.

Our data suggest a few lessons:

  • Programs usually start with lower awards, or even no bounty, as researchers find and address minor vulnerabilities.
  • Mature programs should target at least the platform bounty average, reflecting the fact that vulnerabilities become more difficult and time-consuming to discover.
  • To attract and retain the best researchers, programs need to target a higher bounty average and steadily increase rewards over time to maintain competitiveness with top performers.

Reward Distribution

Reward Distribution

The chart above shows the long-tail distribution of monetary rewards across the entire HackerOne platform. This reflects the power law (in particular, the Pareto principle, or 80-20 rule) in which we see just over 20% of bounties at or above the HackerOne average of $500 and nearly 80% of bounty amounts below. Such a distribution is both expected and desirable as it closely tracks that of vulnerability severity. In this chart, we broke the Y-axis to focus in on the distribution, with about 1% of bounties at $5,000 or above, up to our current highest single bounty of $30,000.

Our data suggest a few lessons:

  • Researchers appreciate when bounties are paid in proportion to their risk ($100 for a small bug, $5,000+ for an RCE).
  • Minimum bounties should be set well below your target average, providing the flexibility to match reward to severity.
  • Set and communicate a maximum orders of magnitude above your minimum to attract deeper engagement.

Please send us any questions or feedback. Our next installment will look at the HackerOne Success Index dimension of Response Efficiency.

– HackerOne Customer Success and Data Science team

Recent articles

Announcing The Largest DoD bug bounty challenge ever: Hack The Air Force

The Air Force is asking hackers to take their best shot following the success of Hack the Pentagon and Hack the…

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…